What are the 5 steps of an audit?

Internal audits are an essential part of ISO 27001 compliance, so it’s important that you know what you’re doing.

Fortunately, this blogs explains the five steps you need to follow to ensure that your internal audit is a success.

1. Scoping and pre-audit survey

You must conduct a risk-based assessment to determine the focus of the audit, and to identify which areas are out of scope.

Information sources could include industry research, previous ISMS (information security management system) reports or other documents, such as the ISMS policy.

Make sure that the audit’s scope is relevant in relation to the organisation – it should normally match the scope of the ISMS being certified.

In the case of large organisations, auditors may need to review how the ISMS is implemented in each business location.

If it’s not possible to review every location, you should at least take a representative sample.

During the pre-audit survey, auditors should also identify and contact the main stakeholders in the ISMS to request any documentation that will be reviewed during the audit.

2. Planning and preparation

After agreeing the ISMS audit scope, auditors must break it down into greater detail.

This involves generating an ISMS audit workplan, in which the timing and resourcing of the audit is agreed with management. Conventional project planning charts, such as Gantt, may prove helpful.

Audit plans identify and put boundaries around the remaining phases of the audit, and often include ‘checkpoints’ that detail specific opportunities for auditors to provide informal interim updates to managers.

Such updates allow auditors to raise concerns regarding access to information or people, and for management to raise concerns regarding the audit process.

You must specify the timing of important audit work so that you can prioritise aspects that you believe pose the greatest risk should the ISMS be found inadequate.

3. Fieldwork

Once an ISMS audit workplan has been generated, auditors must gather evidence by interviewing staff, managers and other stakeholders associated with the ISMS.

They should also review ISMS documents, printouts and data, and observe ISMS processes in action.

Audit tests will need to be performed to validate evidence as it is gathered, as well as audit work papers documenting the tests performed.

The initial stage of fieldwork typically involves the auditor reviewing documentation relating to and arising from the ISMS.

Their findings may indicate the need for specific audit tests to determine how closely the ISMS follows the documentation in relation to ISO 27001.

4. Analysis

The audit evidence should be sorted, filed and reviewed in relation to the risks and control objectives.

Occasionally, analysis may identify gaps within the evidence or indicate the need for more audit tests, which will involve further field testing.

5. Reporting

This essential component of the audit process typically consists of:

• An introduction clarifying the scope, objectives, timing and extent of the work performed;
• An executive summary indicating the key findings, a brief analysis and a conclusion;
• The intended report recipients and, where appropriate, guidelines on classification and circulation;
• Detailed findings and analysis;
• Conclusions and recommendations; and
• A statement from the auditor detailing recommendations or scope limitations.

The draft audit report should be presented to and discussed with management. Further review and revision may be necessary, because the final report generally involves management committing to an action plan.

Achieve ISO 27001 certification with IT Governance

Having helped more than 800 organisations certify to ISO 27001, IT Governance is a world leader when it comes to implementing the Standard.

If you’re looking for help certifying to ISO 27001 or simply want to boost your information security practices, we have a range of services that can help.

This includes support completing specific tasks, such as the internal audit and gap analysis, as well as consultancy services that guide you through the entire process.

After 25 years in internal audit, I have come to the conclusion that excellent audit planning is essential to ensuring an effective audit. What is a successful audit? A good measure is whether both audit management and the auditee feel good about the end results.

Benjamin Franklin famously said: "By failing to prepare, you are preparing to fail." Indeed, one of the most common causes of unsuccessful audits is inadequate planning. Too often, audit staff commitments to current engagements become an obstacle to planning the next engagement. I would submit that delaying an audit is preferable to not investing the proper amount of time into planning for it.

So what, exactly, comprises effective internal audit planning? I would say the following activities are key components:

1. Research the Audit Area

It is essential to understand the business process or function to be audited. If not familiar with it, thoroughly research the process or function to fully understand the subject matter. Review internal procedures, search the internet for resources, and seek help from subject matter experts.

2. Maintain Open Communications Throughout the Planning Process

The sooner the audit team reaches out to the auditee, the better. There is a certain amount of trepidation involved in any audit. Working with an auditee prior to the audit helps ease concerns the auditee may have. Communicating in person is always preferable. If this is not possible, telephone calls are the next best thing. Avoid communicating by email if possible.

3. Conduct Process Walk-Throughs

Armed with a working understanding of the process or function, conduct a face-to-face walk through with the auditee. Identify key business objectives, methods employed to meet objectives, and applicable rules or regulations. A walkthrough may include a tour of facilities. You may gather background information relative to the nature, purpose, volume, size, or complexity of automated systems, processes, or organizational structure. You might scan documents or records for general condition. All these activities provide opportunities to interface with the auditee and build rapport before the formal entrance conference.

4. Map Risks to the Organization, Process, or Function

Ask the auditee what his concerns are, what "keeps him up at night." Through research and interviews, identify risks to meeting business objectives and controls employed to mitigate those risks. Rate risks with the auditee based on probability of occurrence and potential impact. Consider control design, gaps, or mitigating factors to determine if the control system effectively mitigates risks.

5. Obtain Data Prior to Fieldwork

This has become a principal focus for us recently. We emphasize data in our initial requests for information. We perform data analytics before we begin field work. Identifying anomalies to confirm a condition or weakness early helps us target testing and optimize sample selections.

Results of Improved Audit Planning

Our emphasis on audit planning has yielded worthwhile results. And I will say improving audit planning has been an investment. We now begin our audit planning eight weeks prior to the Entrance Conference. In prior years we historically spent 20 to 25% of our audit budget on planning. Audit planning now comprises approximately 35 to 40% of the total budget. The following are some of the dividends:

• Improved credibility and relationships with our stakeholders

• More in-depth and significant issues

• An increased number of process improvements

• Reduced field work time

Audit planning is the audit phase in which we can best influence audit results. It is a key but too easily overlooked component of the audit process. It is something that needs to be emphasized and institutionalized into a habit. This habit ultimately leads to audit success.

Wade Brylow was previously the director of internal audit for Northrop Grumman's Technology Services sector. The opinions and ideas expressed here are those of the author and do not represent the opinions, positions, or policies of Northrop Grumman or any other organization.

What are the 5 process steps to an audit?

What is audit process step by step?

What are the 5 types of audit?

What are the 5 elements of audit finding?